Addressing hackers and InfoSec experts in their “Ripped from the headlines, what the news tells us about information security incidents” speech at B-Sides San Francisco, Widup and Thompson revealed how they have been investigating the data breach numbers since May of last year.
Since then, they've been using Verizon's Data Breach Investigations Report and the open-source Veris Community Database to compile over 3,000 data sets from sources including news articles, Google Alerts, nondisclosure agreements, the Attorney General's website, government breach tools, Freedom of Information Act requests and sometimes – just “asking nicely”.
Thompson admitted that their data analysis is in its early days and as such it's not perfect. He noted reporters getting information wrong, submitted data being duplicated and a lack of data consistency. There also appears to be a slight slant towards government and healthcare data (both of which are required to log major data losses), while the two used data systems (DBIR and VCDB) showed different results. For example, point-of-sale systems were the biggest source of a data leak on Verizon's own Data Breach Investigations Report, while human error was the biggest factor on VCDB.
However, Thompson said that what is not in denial in the sheer number of data breaches. Indeed, he noted Trend Micro's prediction last month of there being a major data breach each month in 2014 and said that that number is actually pretty low.
Using the Poisson Distribution theory to test the frequency of data breaches over a given time, Thompson revealed that major data breaches – which he classified as being over a million records and based on data from 2011 to 2013 – could be as high as three a month
“When I saw Trend Micro's prediction I thought it was pretty high,” said Thompson. “But the estimate is actually pretty low right now. Brace yourselves for an average of 3 [data breaches] a month.”
Thompson later told SCMagazineUK.com that the actual figure was 3.07 and that 2010 was not included as data breaches were not as widely reported at the time. “It was hard to tell if the zeros were real or if the breaches were not just being reported”.
Numbers like this have been hard to come by, although security software provider IS Decisions recently estimate that there have been over 300,000 internal security breaches in UK businesses over last year- averaging 1,190 per day. Intelligence consultancy firm Risk Base Security (RBS) estimated last week that there were 2,164 separate incidents, and over 822 million records exposed, in 2013 – nearly doubling the figures set in 2011.
Verizon's data is available on Github and the researchers are actively reaching out to companies and individuals to help them with their data (via firstname.lastname@example.org). They currently have just over 3,000 data sets, a significant rise from last August, when the database had just 1,200 incidents primarily from 2012 to 2013.